Data transmission method and system, computer device, and storage medium

The present application claims priority of the Chinese Patent Application No. 202310161692.7, filed on Feb. 23, 2023, the disclosure of which is incorporated herein by reference in the present application.

Embodiments of the present disclosure relate to a data transmission method, system, and apparatus, a computer device, and a storage medium.

With the development of information technology, more and more people use clients to communicate on the network. After a client sends out data to be transmitted, the data to be transmitted usually needs to be processed by several intermediate servers (e.g., gateway servers, load balancing servers, cache servers, etc.) and then forwarded to a target server. When the data to be transmitted is sent to an intermediate server, sensitive data (such as the user's personal information) in the data to be transmitted may easily be leaked.

For example, according to the Hypertext Transfer Protocol Secure (HTTPS), the data to be transmitted sent by the client is encrypted, but each intermediate server stores a key to decrypt the encrypted transmission data, so each intermediate server can still decrypt the encrypted data to be transmitted and obtain the sensitive data in the data to be transmitted. Therefore, how to ensure the data security of the sensitive data in the data to be transmitted has become an urgent problem to be solved.

The embodiments of the present disclosure at least provide a data transmission method, system, and apparatus, a computer device, and a storage medium.

In a first aspect, the embodiments of the present disclosure provide a data transmission method, including:

In a possible embodiment, after responding to the data transmission instruction, the data transmission method further includes:

In a possible embodiment, sending the target transmission data to the target server includes:

In a possible embodiment, the at least one intermediate server includes at least one selected from a group consisting of a load balancing server, a gateway server, and a cache server.

In a possible embodiment, the data transmission method further includes:

In a second aspect, the embodiments of the present disclosure further provide a data transmission method, including:

In a possible embodiment, the data transmission method further includes:

In a possible embodiment, the first public key generated by the target server is transmitted to the client through a non-network transmission method.

In a third aspect, the embodiments of the present disclosure further provide a data transmission system, including:

In a fourth aspect, the embodiments of the present disclosure further provide a data transmission apparatus, including:

In a possible embodiment, after responding to the data transmission instruction, the data transmission apparatus is further configured to:

In a possible embodiment, the sending module, when sending the target transmission data to the target server, is configured to:

In a possible embodiment, the at least one intermediate server includes at least one selected from a group consisting of a load balancing server, a gateway server, and a cache server.

In a possible embodiment, the data transmission apparatus is further configured to:

In a fifth aspect, the embodiments of the present disclosure further provide a data transmission apparatus, including:

In a possible embodiment, the data transmission apparatus is further configured to:

In a possible embodiment, the first public key generated by the target server is transmitted to the client through a non-network transmission method.

In a sixth aspect, the embodiments of the present disclosure further provide a computer device, including a processor, a memory and a bus; the memory stores machine-readable instructions executable by the processor, and when the computer device is running, the processor and the memory communicate with each other through the bus; and when the machine-readable instructions are executed by the processor, steps in the first aspect, or in any of the possible embodiments of the first aspect are implemented, or steps in the second aspect, or in any of the possible embodiments of the second aspect are implemented.

In a seventh aspect, the embodiments of the present disclosure further provide a computer-readable storage medium, a computer program is stored on the computer-readable storage medium, and when the computer program is run by a processor, steps in the first aspect, or in any of the possible embodiments of the first aspect are implemented, or steps in the second aspect, or in any of the possible embodiments of the second aspect are implemented.

The data transmission method, system and apparatus, computer device and storage medium provided by the embodiments of the present disclosure can generate, after responding to a data transmission instruction, a first key based on a temporary private key generated by the client and a first public key generated by a target server; then encrypt target data in data to be transmitted to obtain target encryption data based on the first key; and finally, send target transmission data, which includes a temporary public key generated by the client corresponding to the temporary private key, the target encryption data, and other data in the data to be transmitted except the target data, to the target server. In this way, because the target server receives the temporary public key and a first private key corresponding to the first public key is stored in the target server, the target server can generate a second key corresponding to the first key, and decrypt the target encryption data based on the second key to obtain the target data. Even if an intermediate server obtains the target encryption data, because the intermediate server can only obtain the temporary public key, and cannot generate a key to decrypt the target encryption data, the target encryption data cannot be decrypted to obtain the target data, thereby ensuring the data security of the target data and avoiding leakage of the target data.

In order to make the above-mentioned objects, features and advantages of the present disclosure more obvious and understandable, preferred embodiments are given below and described in detail with reference to the drawings.

In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure clearer, the technical solutions of the embodiments of the present disclosure will be described clearly and completely below with reference to the drawings in the embodiments of the present disclosure. Obviously, the described embodiments are only part of the embodiments of the present disclosure, but not all embodiments. The components of the embodiments of the present disclosure generally described and illustrated in the drawings herein may be arranged and designed in a variety of different configurations. Therefore, the following detailed description of the embodiments of the present disclosure provided in the drawings is not intended to limit the protection scope of the present disclosure, but rather to represent selected embodiments of the present disclosure. Based on the embodiments of the present disclosure, all other embodiments obtained by those skilled in the art without any creative efforts shall fall within the protection scope of the present disclosure.

In the encryption method using Hypertext Transfer Protocol Secure (HTTPS), the target server and the client usually generate symmetric keys to respectively encrypt and decrypt the data to be transmitted sent by the client, to ensure the data security of the data to be transmitted during transmission. However, before the data to be transmitted is sent to the target server, the data to be transmitted usually needs to be processed by an intermediate server. For example, respective distribution servers in a content delivery network (CDN) need to distribute the data to be transmitted to different servers for processing based on part of the data to be transmitted, and the gateway server can audit the data to be transmitted. Therefore, the intermediate server usually holds the key to decrypt the encrypted data to be transmitted, so that each intermediate server can directly obtain the plaintext data of the data to be transmitted, which may easily cause the leakage of sensitive information in the data to be transmitted.

Based on the above research, the present disclosure provides a data transmission method, system and apparatus, a computer device and a storage medium, which can generate, after responding to a data transmission instruction, a first key based on a temporary private key generated by the client and a first public key generated by a target server; then encrypt target data in data to be transmitted to obtain target encryption data based on the first key; and finally, send target transmission data, which includes a temporary public key generated by the client corresponding to the temporary private key, the target encryption data, and other data in the data to be transmitted except the target data, to the target server. In this way, because the target server receives the temporary public key and a first private key corresponding to the first public key is stored in the target server, the target server can generate a second key corresponding to the first key, and decrypt the target encryption data based on the second key to obtain the target data. Even if an intermediate server obtains the target encryption data, because the intermediate server can only obtain the temporary public key, and cannot generate a key to decrypt the target encryption data, the target encryption data cannot be decrypted to obtain the target data, thereby ensuring the data security of the target data and avoiding leakage of the target data.

It should be noted that similar reference numerals and letters represent similar items in the following drawings, therefore, once an item is defined in one drawing, it does not need to be further defined and explained in subsequent drawings.

The term “and/or” in the present disclosure only describes an association relationship, indicating that three relationships can exist. For example, A and/or B may mean: A exists alone, A and B exist simultaneously, and B exists alone. In addition, the term “at least one” herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C may mean including any one or more elements selected from the set consisting of A, B, and C.

It may be understood that before using the technical solutions disclosed in the embodiments of the present disclosure, users should be informed of the type, scope of use, usage scenarios, etc. of the personal information involved in the present disclosure in an appropriate manner in accordance with relevant laws and regulations and the user's authorization is obtained.

For example, in response to receiving an active request from a user, a prompt message is sent to the user to clearly remind the user that the operation requested will require the acquisition and use of the user's personal information. Therefore, users can autonomously choose whether to provide personal information to software or hardware such as an electronic device, an application, a server or a storage medium that perform the operations of the technical solution of the present disclosure based on the prompt information.

As an optional but non-limiting implementation, in response to receiving an active request form a user, the method of sending prompt information to the user may be, for example, a pop-up window, and the prompt information may be presented in the form of text in the pop-up window. In addition, the pop-up window may also contain a selection control for the user to choose “agree” or “disagree” to provide personal information to an electronic device.

It may be understood that the above-mentioned process of notifying and obtaining user authorization is only illustrative and does not limit the implementation of the present disclosure, and other methods that satisfy relevant laws and regulations may also be applied to the implementation of the present disclosure.

In order to facilitate understanding of the present disclosure, a data transmission method disclosed in the embodiments of the present disclosure is first introduced in detail. The execution subject of the data transmission method provided by the embodiments of the present disclosure is a client, and the client may be, for example, a personal computer, a tablet computer, a smart phone, etc. In some possible implementations, the data transmission method may be implemented by a processor calling computer-readable instructions stored in a memory.

Refer to, which is a flowchart of a data transmission method provided by the embodiments of the present disclosure, the data transmission method includes stepsto.

Step: generating, in response to a data transmission instruction, a first key based on a temporary private key generated by the client and a first public key generated by a target server;

Step: encrypting target data in data to be transmitted to obtain target encryption data based on the first key;

Step: sending target transmission data to the target server to cause the target server to generate a second key corresponding to the first key based on a temporary public key and a first private key corresponding to the first public key, and to decrypt the target encryption data based on the second key, in which the target transmission data includes the temporary public key generated by the client corresponding to the temporary private key, the target encryption data, and other data in the data to be transmitted except the target data.

The following is a detailed description for the above-mentioned steps.

For step:

Specifically, the data transmission instruction may be generated in response to a first triggering operation, which includes but not limited to click, double click, long press, slide, drag, etc. For example, the data transmission instruction may be generated in response to a click operation on a target button.

In a possible embodiment, after responding to the data transmission instruction, the client may send a data transmission request to the target server and receive a verification certificate sent by the target server. Specifically, the verification certificate may be, for example, a Secure Socket Layer (SSL) certificate, also known as an SSL certificate. The verification certificate may include a second public key, data to be verified, and signature data. The data to be verified may include data such as the issuing object, issuer, and validity period of the verification certificate. By verifying the data to be verified, it can be determined whether the data sent by the target server to the client has been tampered with. For example, the signature data may be decrypted by the second public key to obtain first verification data, and the data to be verified may be processed using a preset algorithm (such as a hash function) to obtain second verification data. In the case that the first verification data and the second verification data are consistent, it is determined that the verification certificate has not been tampered with.

In a possible embodiment, when generating the first key based on the temporary private key generated by the client and the first public key generated by the target server, the first key may be generated based on the temporary private key, the first public key, at least one random number, and a target key generation algorithm. For example, at least one random number may be generated by the client and/or the target server, and the random number generated by the target server may be sent to the client by the target server after receiving a data transmission request.

In a possible embodiment, the temporary private key may be generated through the following method: generating, in response to satisfying a key generation condition, the temporary private key and the temporary public key corresponding to the temporary private key based on a preset key generation algorithm.

Exemplarily, the key generation condition may include: in response to a startup of a target application, in response to a data transmission instruction, the time interval between the current time and the most recent generation time of the last temporary key (including temporary private key and temporary public key) exceeds a preset time, etc. In a specific example, the temporary key may be deleted in response to the shutdown of the target application, and the temporary key may be generated in response to the startup of the target application. In another example, the temporary key may be generated when the time interval between the current time and the most recent generation time exceeds one week. Exemplarily, the preset key generation algorithm may be a key generation algorithm in Elliptic Curve Cryptography (ECC) algorithm, and the embodiments of the present disclosure do not limit other key generation algorithms. By adopting this method, the temporary key can be automatically updated, making the temporary key time-sensitive, thereby ensuring information security.

For step:

The target data that needs to be encrypted in the data to be transmitted may be pre-set, and exemplarily, the target data may be sensitive data (such as personal data of users). Alternatively, in another possible embodiment, content recognition may be performed on the data to be transmitted, and in the case that a preset keyword is detected in the data to be transmitted, the field containing the preset keyword in the data to be transmitted may be determined as the target data. Exemplarily, the preset keyword may include address, contact phone number, itinerary information, etc.

For example, in the case where the temporary key is generated based on a key generation algorithm in the ECC algorithm, the target data can be encrypted based on a key encryption algorithm in the ECC algorithm. The embodiments of the present disclosure do not limit other key encryption algorithms.